'Flashback' trojan estimated to have infected 600K Macs worldwide

Posted:
in macOS edited January 2014


A trojan horse named "Flashback" that surfaced last year is believed to have created a botnet including more than 600,000 infected Macs around the world, with more than half of them in the U.S. alone.



Russian antivirus company Dr. Web issued a report on Wednesday noting that 550,000 computers running OS X had been infected by BackDoor.Flashback variants of the malware, as highlighted by ArsTechnica.



An analyst for the company later updated the figure to note that the size of the botnet had reached 600,00. He also pointed out that 274 bots are originating from Apple's hometown of Cupertino, Calif.



According to a map released by the firm, 56.6 percent of infected computers are located in the United States. Canada was second with 19.8 percent, followed by the U.K. with 12.8 percent of cases.



Apple released a Java Security update on Tuesday to resolve the vulnerabilities that the malware is exploiting, but not before a number of Mac users had been hit with the malicious software. Oracle first issued a fix for the vulnerability in February.











Security firm Intego publicized the Flashback trojan last September. Some variants of the software were even discovered with the potential to disable anti-malware protections within OS X.



Researchers F-Secure have provided instructions on how to detect and remove the malware.



[ View article on AppleInsider ]

«134567

Comments

  • Reply 1 of 124
    Thank goodness I have had AV installed on all my Macs for a while now :-)
  • Reply 2 of 124
    No problems for me. No AV software either bar ClamXav. I already had disabled "Enable Java" via Safari>Preference>Security.
  • Reply 3 of 124
    I'm clean. No AV software since the late 1990s.
  • Reply 4 of 124
    alfiejralfiejr Posts: 1,524member
    um, has anybody at AI (or anyplace) bothered to check if:



    - "Dr. Web" of Russia is for real?

    - they actually know what they are talking about?

    - they have some fact-based stats, and are not pulling numbers out of their butt?

    - anybody knows the identify of any of the purported Trojan websites? like even one? and has proved it is in fact operational as reported?
  • Reply 5 of 124
    spinnerlysspinnerlys Posts: 218member
    Quote:
    Originally Posted by AppleInsider View Post


    ...infected by BackDoor.Flashback variants of the virus,...



    ...to resolve the vulnerabilities that the virus is exploiting



    What is it now? Didn't you write, that it is a trojan, but now you write, it is a virus.

    Make up your mind.



    Anyway, since there are no viruses affecting Mac OS X in public circulation, this is probably a trojan. To learn the difference, which is just a tiny bit important, as the word "virus" probably gets you more clicks, look here.
  • Reply 6 of 124
    andreidandreid Posts: 96member
    Quote:
    Originally Posted by Alfiejr View Post


    um, has anybody at AI (or anyplace) bothered to check if:



    - "Dr. Web" of Russia is for real?

    - they actually know what they are talking about?

    - they have some fact-based stats, and are not pulling numbers out of their butt?

    - anybody knows the identify of any of the purported Trojan websites? like even one? and has proved it is in fact operational as reported?



    Exactly ! Pitiful research, pitiful article and it's a pity AppleInsider reposted this junk (which makes it worse imho).



    I find it striking that Dr. Web know exactly how many bots came from Cupertino ... not 273 and not 275...exactly 274.



    PS: No AV software either and i strongly discourage using AV on Macs for the time being. My whole office is packed with Macs and, among others, as IT administrator, we had no problems whatsoever with any kind of malware ever. Those apps like MacScan and AV software imho are made just to sell you their product for bs reasons. Practice safe computing and common sense and it's all ok
  • Reply 7 of 124
    irnchrizirnchriz Posts: 1,616member
    OMFG I'm infected









    NOT.



  • Reply 8 of 124
    nagrommenagromme Posts: 2,834member
    I?ve never run AV software, but I also never enable Java unless a web site needs it for something important.*



    A trojan (NOT virus) is essentially a lie: someone tells you to install something, and you decide to trust them, but what you get is actually something different. There can never be complete protection from being lied to--although Apple seems to have largely cracked that challenge with Lion. So enjoy your Mac trojan-making while you can!



    * Which never happens (for me).
  • Reply 9 of 124
    hill60hill60 Posts: 6,992member
    From the F-secure link:-



    "Installation



    On execution, the malware checks if the following path exists in the system:

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app



    If any of these are found, the malware will skip the rest of its routine and proceed to delete itself."



    Good thing I've got Little Snitch installed, no Trojan here.
  • Reply 10 of 124
    iqatedoiqatedo Posts: 1,822member
    Quote:
    Originally Posted by irnchriz View Post


    OMFG I'm infected

    ...

    NOT.





    Oh, good, my heart skipped a beat there.



    I'm free too, which means that I still go back to the mid-eighties for my last known trouble with a virus (although this is a Trojan). My computer's free too.
  • Reply 11 of 124
    mcmachmcmach Posts: 8member
    Quote:
    Originally Posted by Alfiejr View Post


    um, has anybody at AI (or anyplace) bothered to check if:



    - "Dr. Web" of Russia is for real?

    - they actually know what they are talking about?

    - they have some fact-based stats, and are not pulling numbers out of their butt?

    - anybody knows the identify of any of the purported Trojan websites? like even one? and has proved it is in fact operational as reported?



    My thoughts exactly. It is always amazing how these "security companies" come up with such exact numbers, that too country wise! And always from pedlars of "security software". Talk about vested interest or scareware as you wish to call it.
  • Reply 12 of 124
    Not sure why you kids get so worked up about this stuff. I'm glad AI is circulating what might be an important issue for a handful of people. Not everything has to be an Apple PR spot, does it?



    Or for you guys, maybe it does?



    Is it against the rules to mention that my trackpad broke the other day? Or the home button on my iPhone is unresponsive without pressing fairly hard?



    I've had a few other problems also. It's a mixed bag, here in reality. Maybe you're better off not joining me after all. :P
  • Reply 13 of 124
    adamwadamw Posts: 114guest
    I WAS infected with this Trojan, until I saw this article and followed the uninstall instructions. The trojan installed without my permission ~ March 3rd according to the file date of the trojan that was installed.



    I had the variant that installed in my global preferences and intercepted my Safari screen characters and keystrokes. It got access to my Mac using Java, without me typing the Admin password or notifying me to install it. This stealth trojan had been running for about a month now, before I discovered it.



    I have now turned off Java, and updated to the latest Apple supplied version of Java which they just released a day or so ago. This exploit in Java has been known since February, and I am very annoyed with Apple for not fixing their version of Java, and notifying us of this earlier. It would have likely prevented the Java hole to exist that this trojan exploited to infect my Mac Pro without my knowledge.



    I was unhappy to find out today that I had this trojan installed on my Mac Pro, but I am relieved now that I was able to uninstall it. I changed my various online account passwords, to prevent the people who ran this botnet from using my personal account names and passwords.



    I thought my Mac was more secure than this. I appreciate the reports about this trojan, which caused me to check, and let me know my Mac had been compromised.
  • Reply 14 of 124
    oseameoseame Posts: 73member
    Quote:
    Originally Posted by hill60 View Post


    From the F-secure link:-



    "Installation



    On execution, the malware checks if the following path exists in the system:

    /Library/Little Snitch

    /Developer/Applications/Xcode.app/Contents/MacOS/Xcode

    /Applications/VirusBarrier X6.app

    /Applications/iAntiVirus/iAntiVirus.app

    /Applications/avast!.app

    /Applications/ClamXav.app

    /Applications/HTTPScoop.app

    /Applications/Packet Peeper.app



    If any of these are found, the malware will skip the rest of its routine and proceed to delete itself."



    Good thing I've got Little Snitch installed, no Trojan here.



    Not necessarily true, I got the .rserv variant in my home folder the other day, luckily I have Little Snitch installed but that didn't prevent it faking a software update dialogue in a failed attempt to have me give it my password, or prevent it attempting to download the payload from various Russian servers... which was blocked by Little Snitch, alerting me to the trojan.



    I'm an IT guy - I probably got this from an unsafe website like a bittorrent site and the trojan didn't manage to install but the fact that it downloaded itself and faked a software update dialogue is deeply troubling!

    In our office I'm the only one with the admin password though, so although people could download the trojan the impact should be limited.



    I noticed Dr Web posting on the apple communities posts regarding this issue - he seemed well informed - but given that it's been proven before that a large Russian group is responsible for at least a large part of these attacks it is kinda funny to see a Russian antivirus company cited here.
  • Reply 15 of 124
    As a side note, Software update popped up while I was reading this article to inform me that the java update was available, and it weighs in at 66.6 MB... clearly evil things are going on, although following the steps in the article I came up clear on it.
  • Reply 16 of 124
    xsamplexxsamplex Posts: 214member
    Thanks for telling us what this Trojan horse, or virus, supposedly does. Solid reporting.
  • Reply 17 of 124
    nelsonxnelsonx Posts: 278member
    Quote:
    Originally Posted by Alfiejr View Post


    um, has anybody at AI (or anyplace) bothered to check if:



    - "Dr. Web" of Russia is for real?

    - they actually know what they are talking about?

    - they have some fact-based stats, and are not pulling numbers out of their butt?

    - anybody knows the identify of any of the purported Trojan websites? like even one? and has proved it is in fact operational as reported?



    Yes it is for real. You could have find out yourself if you have checked with Google. But of course you can not use Google because Google is "The Enemy", right?

    Doctor web is an antivirus company established in 1992: http://en.wikipedia.org/wiki/Dr._Web
  • Reply 18 of 124
    stelligentstelligent Posts: 2,680member
    Not installing AV is a bragging right? Just because you use a Mac?



    That's tantamount to saying you sleep around bareback because you run in the *right* circle (where all women use the pill and no one has STDs).



    You don't feel the need to use AV because the odds are on your side. Fine. But to brag about it like you've accomplished something special?



    How do you spell naive?
  • Reply 19 of 124
    ipilyaipilya Posts: 195member
    Dear AI Staff,



    Please... do not fall to the shame and disgrace of publishing sensationalism. You do not need to garnish more page views from this tactic. Keep your loyal readers by keeping to sensible journalistic standards!



    What you term as a "Virus" is NOT a virus. Here is the one and only thing you really need to know (though better to know more). If you need to enter in your (admin) password, its not a virus. Simple!



    sigh.... I am loosing faith.
  • Reply 20 of 124
    MacProMacPro Posts: 19,718member
    Quote:
    Originally Posted by adamw View Post


    I WAS infected with this Trojan, until I saw this article and followed the uninstall instructions. The trojan installed without my permission ~ March 3rd according to the file date of the trojan that was installed.



    I had the variant that installed in my global preferences and intercepted my Safari screen characters and keystrokes. It got access to my Mac using Java, without me typing the Admin password or notifying me to install it. This stealth trojan had been running for about a month now, before I discovered it.



    I have now turned off Java, and updated to the latest Apple supplied version of Java which they just released a day or so ago. This exploit in Java has been known since February, and I am very annoyed with Apple for not fixing their version of Java, and notifying us of this earlier. It would have likely prevented the Java hole to exist that this trojan exploited to infect my Mac Pro without my knowledge.



    I was unhappy to find out today that I had this trojan installed on my Mac Pro, but I am relieved now that I was able to uninstall it. I changed my various online account passwords, to prevent the people who ran this botnet from using my personal account names and passwords.



    I thought my Mac was more secure than this. I appreciate the reports about this trojan, which caused me to check, and let me know my Mac had been compromised.



    As a Mac Pro user I am surprised you are not a bit more savvy. I would suggest investing in Little Snitch rather than relying on Christian Prayers & Music.
Sign In or Register to comment.